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—— Abstract 


Threshold automata, and the counter systems they define, were introduced as a framework for 
parameterized model checking of fault-tolerant distributed algorithms. This application domain 
suggested natural constraints on the automata structure, and a specific form of acceleration, 
called single-rule acceleration: consecutive occurrences of the same automaton rule are executed 
as a Single transition in the counter system. These accelerated systems have bounded diameter, 
and can be verified in a complete manner with bounded model checking. 

We go beyond the original domain, and investigate extensions of threshold automata: non- 
linear guards, increments and decrements of shared variables, increments of shared variables 
within loops, etc., and show that the bounded diameter property holds for several extensions. 
Finally, we put single-rule acceleration in the scope of flat counter automata: although increments 
in loops may break the bounded diameter property, the corresponding counter automaton is 
flattable, and reachability can be verified using more permissive forms of acceleration. 
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I Introduction 


Threshold automata were introduced as a framework for modeling and verification [23, 25, 24, 
22] and recently for synthesis [29] of fault-tolerant distributed algorithms. These algorithms 
typically wait for a quorum of messages, e.g., in replication services, the primary replica may 
block until it received acknowledgments from a majority of the back-up replicas [28, 33, 14, 34]. 
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B Figure 1 A threshold automaton. 


Moreover, these algorithms are parameterized by design, i.e., the number of processes n is 
a parameter, and consequently, the primary in our example contains a guard that waits 
for more than n/2 messages, a so-called threshold guard. As a result, the local transition 
relation is parameterized, and therefore these systems are out of reach of classic work in 
parameterized model checking [15, 7]. 

We recall the necessary notions of threshold automata by the example in Figure 1. It 
operates on parameters n, t, and f, and shared variables x and y. The vertices are called 
locations, and the edges are called rules, which can be guarded, and can increase a shared 
variable. For instance, the threshold guard in rule rı compares the value of variable x to a 
linear expression over parameters n — f. The semantics of threshold automata is defined via 
counter systems, where a configuration contains the values of shared variables, and a counter 
value Kk; for each location @;. The transition relation then is defined by operations on the 
counters and shared variables. For instance, for some c, if k2 > c, then there is a transition 
defined by rule r4 that increases «4 by c, decreases Kg by c and increases x by c. 

By allowing arbitrary values of factor c, one obtains a transition relation with a specific 
form of acceleration (single-rule acceleration), built-in by construction. Then, the transition 
system is a graph with vertices being configurations, and edges being transitions. By 
defining paths in this graph, and distances between vertices, one can define the diameter 
of a transition system. If the diameter d is bounded, then every state is reachable in d 
steps, and bounded model checking of executions of lengths up to d is a complete verification 
method for reachability [6]. It was shown [25] that the diameter of transition systems defined 
by threshold automata is bounded, and in particular, it does not depend on the values of 
the parameters such as n, t, and f. However, several restrictions on threshold automata 
were used in [25] to bound the diameter. While these restrictions are well-justified for the 
original domain of fault-tolerant algorithms, two questions remain open: (i) which of these 
restrictions were actually necessary to prove the results under single-rule acceleration, and 
(ii) which restrictions could be avoided by allowing a more permissive form of acceleration? 

The purpose of this paper is to explore various extensions of threshold automata, and 
understand which of them maintain a bounded diameter. We study extensions of the following 
properties of threshold automata as defined in [25]: 


Increments in loops. Canonical threshold automata defined in [25] do not allow updates of 
shared variables within loops. 


Guards. In [25], threshold guards compare shared variables to a threshold, that is, a linear 
combination of parameters. Since parameter values are fixed in a run, thresholds are 
effectively constant. As shared variables can only increase in [25], the guards are monotonic; 
for instance, once the shared variable is greater than the threshold it stays greater, and 
the evaluation of the guards stays unchanged after that. We consider more general guards: 
we replace the shared variables (e.g., x) by a function over shared variables, and consider 
the special case of a difference (x — y), as well as piecewise monotone functions. 
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E Table 1 Summary of results. “p.m. f(x)” means a piecewise monotone function of x. 
y P 


Level Reversals Canonical Bounded diameter? Flattable? ai Class name 
reachability? 
z 0 / [25, Thm. 8] / J V TA 
p.m. f(x) 0 Ÿ Cor. 18 V Vv ZV PMTA 
<k / [27, Thm. 4] V 4 / rbTA 
x 0 x Thm.9X Thm. 247 Y NCTA 
T—Y 0 v x X Thm.11X BDTA 
x oo Ÿ x X Thm.10X rTA 


Reversibility. In [25], only increments on shared variables are considered because increments 
are sufficient to model sending a message. As a result, threshold guards were monotone. 
In this paper, we also consider decrements, which produce schedules that have alternating 
periods of increasing a variable and decreasing it. 


For these extensions, we show that under certain conditions these automata entail bounded 
diameter results as well. Thus, the diameter result of [25] can be seen as a special case of 
the results of this paper. 

Finally, we consider threshold automata in the scope of counter automata, a modeling 
framework for infinite-state systems [10, 30, 4]. We consider the concepts of (i) a flat counter 
automaton, whose control graph does not contain nested loops, and (ii) a flattable counter 
automaton, for which a flat counter automaton with the same reachability relation exists. 
For these automata, there are procedures and tools (FAST) for reachability analysis [30, 4]. 
We will discuss that the results of [25, 21] imply that canonical threshold automata (no 
increments in loops) entail flattable counter automata- which explains why FAST verified 
some benchmarks in the experiments of [25]. Moreover, we show that we can get rid of the 
canonicity restriction and still prove that the resulting counter automaton is flattable. That 
is, while non-canonical threshold automata do not fall into the fragment that can be verified 
with the methods from [25, 21], one can still analyze these automata with more permissive 
forms of acceleration as implemented in FAST. 

An overview of our results is in Table 1, where the simpler classes are at the top; these 
classes are defined in Section 2.3. The bounded diameter property implies flattability, as 
we show in Proposition 21, which can be seen in the first three lines. For completeness, in 
line 3, we mention results on reversal-bounded threshold automata rbTA, which consider the 
structure of runs rather than threshold automata [27]. Note that flattability of a counter 
automaton implies that reachability for this automaton is decidable [30]. 


“2 System model 


This section generalizes the definitions of [25]. We use the following sets: integers Z and 
their extension Z = ZU {—co, +00}, non-negative integers No, reals R. We denote a vector 
of integers by +. When the vector dimension is clear, we write 1, to denote the unit vector 
that has 1 at position k and 0 everywhere else, and 0 is the vector filled with zeroes. 


2.1 Unrestricted threshold automata 


An unrestricted threshold automaton (UTA) is a tuple (£,Z,T, I, R) where £ is a finite set of 
local states (locations), T C £ is a set of initial local states, T is a finite set of shared variables, 
II is a finite set of parameter variables, and R is a finite set of rules, which are defined below. 
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B Figure 2 An unrestricted threshold automaton. 


Guards. A nonlinear guard of a UTA is a formula: thd(p) > lul(#), where p= [pi,..., pin], 
T= |z1,..., xr], W: Z'"| — R is the level function, thd: ZM — R is the threshold function, 
and m is one of {<,<,>,>}. When m is either < or <, the guard is called a lower guard, 
otherwise it is an upper guard. For x € I and &o,41,..., an] € Z, a guard of the following 


form is called affine: ao + SE aipi © x. (Affine guards have only one shared variable.) 


Rules. A rule is a tuple (from, to, ®, ü) where to, from € L are two local states, ® is a set 
of nonlinear guards and à € Z!"! is an update vector. 


> Example 1. Consider the automaton in Figure 2, demonstrating the nonlinear guards and 
rules that are not considered in [25]. < 


2.2 Semantics of UTA: counter systems 


Configurations. For a UTA A = (£,7,T,I, R), a triple of vectors (K, g, p) € NE! x ZT x 
NI! is called a configuration. The vectors have the following meaning: vector K € NE! stores 
the values of the location counters, vector ÿ € Z!"! stores the values of the shared variables, 
and vector Np stores the parameters. 


Transitions. Given a UTA A = (£,7,T,I,R), a transition is a pair (rule, factor) where 
rule € R and factor € No. Note that the single-rule acceleration is built into to the definition 
of a transition, by allowing factor > 1. We use the notation t.rule and t.factor to refer to 
the tuple elements of the same name. Additionally, for any tuple field e of t.rule we shorten 
t.rule.e to t.e for brevity (e.g., t.rule.from becomes t.from). 

Given a configuration g and a formula y over the shared variables I’ and parameters II, 
we will use the notation (0.9, o.p) = y, or just o = 4, to mean that the formula y holds true 
when the shared variables and the parameters are substituted with their respective values 
from o.g and o.p. 

We say that a rule r is unlocked in a configuration o if (0.9, o.p) F Ape, ©. Further, 
a transition t = (r,a) is unlocked in a configuration ø if r remains unlocked after at 
least a — 1 updates imposed by r.t, that is, for each k € {0,1,...,a— 1}, it holds that 
(o.g+k-7.t,0.0) À vers 2 
> Definition 2. A transition t = (r,a) is applicable to a configuration ø if t is unlocked in ø 
and o.&[r.from] > a. When t is applicable to c, we call o’ the result of applying t to o- 
denoted as t(o)— if the requirements 1-3 are met: 

1. the location counters are changed by a, that is, o'.R = o.R +a- (Irto — Ip. from); 
2. the update vector is added a times to the shared variables: o’.g = o.ÿ + a- r.ü, 
3. the parameters do not change: 0’. = o.p. 


Definition 2 explicitly allows successive applications of the same rule to be compressed 
into a single transition. This kind of acceleration was introduced in [25], and we call it 
single-rule acceleration. 
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> Example 3. Consider the automaton in Figure 1. The following table shows a configura- 
tion co, and configurations o1 and 02 after applying one and two transitions, respectively, to 
the configuration go: 


configuration counters R shared variables ÿ parameters p 
00 (4, 0, 0,0, 0) (0, 0) (4,1, 1) 
O1 (2,2,0,0,0) (0,0) (4,1,1) 
o2 (2,1,0,1,0) (1,0) (4,1,1) 


First, the parameters are initialized to n = 4,t = f = 1, and the counter of location £1 
equals to n (configuration oo). Then, transition (r3,2) is applied to oo, resulting in the 
counter of {2 increasing by 2 and the counter of {1 decreasing by 2 in configuration g1. 
Finally, rule r4 is executed once, incrementing x to obtain a2. < 


Number of instances. As in [25], we assume that a threshold automaton is equipped with 
a function N : Nil — No. Intuitively, every configuration ø captures a state of N (o.p) 
instances of the threshold automaton. The authors of [25] did not restrict function N, as 
they were concerned only with the length of the shortest sequences of transitions connecting 
any two configurations. In this paper, we assume that the relation {(p, N(p)): P € NE can 
be defined with a formula in Presburger arithmetic. In Example 3, we define N with the 
following formula over the parameters n, t, and f as well as the outcome of the function N: 
(n>3t>N=n-—fAf>0At>0)A(n<3t3N =0). 

In our example, the number N is positive only if n > 3t, and equals to zero otherwise. 
This allows us to prune “irrelevant” parameter values. (In distributed computing, this is 
achieved by writing a so-called resilience condition.) 


Counter systems. Having defined the configurations and transitions, we define a counter 
system of a threshold automaton: 


> Definition 4. Given a UTA A = (£,7,T,II, R), we define its counter system CS(A) asa 

transition system (X, I, R), where: 

= » is the set of all possible configurations. 

= IC X is the set of initial configurations; their counter values in the initial locations sum 
up to N(p). Formally, a configuration go € © belongs to J if and only if the following 
conditions hold: o9.4[é] = 0 for £ € L\T and N(o0.P) = oye F0-K 4], as well as, 0.9 = i 

= RC Èx» is the transition relation. A pair of configurations (c, o’) belongs to R if and 
only if there is a transition t that is applicable to ø, and o’ = t(a). 


A schedule is a finite sequence of transitions. A schedule 7 = t1,...,tm is applicable to a 
configuration o if there exists a sequence of configurations 01,...,0m where o; = t;(o;-1) 
for all 0 <i < m. We define r(a9) to be aom. We denote the concatenation of schedules T 
and 7’ by T- 7’ and the length of a schedule T = t1,...,tm as |r| = m. By €, we refer to the 
empty schedule, which has length 0 and satisfies e(o) = o for all ø in X. 

For a schedule 7 = t1,...,t, and two indices i, j € Z, we define the subschedule ry; j} as 
follows (7[:,;); T(i,j], and Tq, j) are obtained by choosing the intervals accordingly): 

ria = e eae »tmin(n,j)> when à < J; 

€, when i> j 


We say that a configuration o’ is reachable from a configuration ø, if there is a schedule 7 
with the following properties: (1) 7 is applicable to ø, and (2) r(o) = o’. 
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Bounded diameters. The central result of [25] is that for counter systems of threshold 
automata one can check, whether one configuration is reachable from another. It is sufficient 
to inspect the schedules of length within a precomputed bound on the diameter: 


> Definition 5. Given a UTA A and its counter system CS(A) = (%,J, R), a number d € 
No U {co} is the diameter of CS(A) if d is the smallest number with the following property: 

For every pair of configurations o,o’ € È, if a’ is reachable from ø, then there is a 
schedule 7 such that: (a) 7 is applicable to ø, (b) r’(o) = o’, and (c) |7’| < d. 


One of our contributions is in finding fragments of unrestricted threshold automata whose 
counter systems have a bounded diameter. In Section 4, we give examples of UTA whose 
counter systems have unbounded diameters. Moreover, we show that there are classes of UTA, 
for which the following problem- which generalizes the problem from [21]— is undecidable: 


Parameterized reachability. Given a UTA A = (£,7,T,II,R), a state property B is a 
Boolean combination of formulas that have the form &[¢] = 0, for some @ € £. The 
parameterized reachability problem is to decide whether there are parameter values p € Ni, 
an initial configuration og € I, with o9.p = p, and a schedule 7, such that 7 is applicable 
to co, and property B holds in the final state: T(a9) = B. 


2.3 Fragments of unrestricted threshold automata 


In order to prove the bounded diameter property, we consider various restrictions on the 
guards, updates, the transition relation, and other aspects of UTA. The first restriction 
prohibits modifications of shared variables in loops [25]: 


> Definition 6. A rule r lies on a cycle, if there is a sequence of rules ro,...,rx, where 
r = ro and r;.to = r;.from for 0 <i < kand j=i+1 mod (k+1). 
A UTA is canonical if r.ù = 0 for every rule r € R that lies on a cycle. 


Canonical Threshold Automata (TA). This class contains UTAs with the following prop- 
erties: (1) they are canonical, (2) all guards are affine, and (3) the update vectors in all rules 
are non-negative. This is the class of automata considered in [25, 24], which is known to 
have a bounded diameter: 


> Theorem 7 ([25]). For every TA A, there exists a constant C, such that the diameter of the 
associated counter system is less than or equal to d(CS(A)) = (C+1)-|R|+C (independently 
of the parameters). 


Piecewise Monotone Threshold Automata (PMTA). This class contains UTAs with the 
following properties: (1) they are canonical, (2) all level functions in the guards are piecewise 
monotone?, and (3) the update vectors in all rules are non-negative. 


Bounded Difference Threshold Automata (BDTA). This class contains UTAs with the 
following properties: (1) they are canonical, (2) all level functions in the guards are of the 
form x; or x; — x; for some z;, £j € T, and (3) the update vectors in all rules are non-negative. 


1 The domain of a piecewise monotone function can be decomposed into finitely many intervals where the 
function is monotone. 
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B Figure 3 A simple NCTA. B Figure 4 A BDTA with unbounded diameter. 


Non-canonical generalizations of TA, PMTA, and BDTA. For the mentioned classes, we 
omit the requirement of the automaton being canonical, and denote these classes as: NCTA, 
NCPMTA, and NCBDTA. 


Reversible of TA, PMTA, and BDTA. For the mentioned classes, we allow shared variables 
to be both increased and decreased, and denote these classes as: rTA, rPMTA, and rBDTA. 


Reversal-bounded extensions of TA, PMTA, and BDTA. To introduce reversal-bounded 
automata, we need the following definition. 


> Definition 8. A schedule tı -7 - t2 is an x-reversal if: (a) one of the transitions tı or to 
increases x and the other decreases x, that is, t.ü[x] - t2.üu[x] < 0, and (b) every transition t 
in 7 does not update x, that is, t.ü[x] = 0. If for every shared variable x, the number of 
z-reversals in a schedule is at most N, the schedule is called N-reversible. 


Similar to reversal-bounded counter machines [20], we define the classes rbTA, rbPMTA, 
and rbBDTA by restricting the counter systems of the respective reversible automata to 
N-reversible schedules (where N is fixed). 


[37 Negative results: unbounded diameters and undecidability 


We give examples of NCTA and BDTA whose counter systems have unbounded diameters. 
Then, we show that reachability is undecidable for counter systems of BDTA and rTA. 


3.1 Unbounded diameters of non-canonical threshold automata 


When we permit shared variables to be updated within loops, the diameter of the counter 
system becomes unbounded: 


> Theorem 9. There is an NCTA whose counter system has unbounded diameter. 


Proof. Figure 3 shows such an NCTA, where z is the only shared variable, and n the only 
parameter. To prove the theorem, take the configuration o with o.& = (1,0), og = (0), 
and o.p = (n) for n > 0. We show that the following configuration o’ can be reached from o 
in no less than n + 1 transitions: o’.& = (0,1), o’.g = (n), and o’.p = (n). In ø, rule r2 is 
locked, and rule rı is not, so rı must be used at least n times to unlock rə. Since the sum 
of the values of location counters initially is 1 and is invariant, we can only use transitions 
with a factor of at most 1. Thus, to reach o’ from ø, we have to execute n copies of the 
transition (71,1) and then the transition (rz, 1). Hence, the diameter must be at least n + 1, 
and thus grows with the unbounded parameter n. < 


The automaton in Figure 3 encodes the simple loop “while (n <= x) x++;” One can 
argue that this automaton can be accelerated by compressing self-loops into one transition; 
which requires another form of acceleration. Figure 5 shows an example that cannot be easily 
fixed by this. This example can be treated with more general acceleration techniques, as 
demonstrated in Section 6. 
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B Figure 5 A non-canonical automaton with unbounded diameter. 


3.2 Undecidability for reversible and bounded-difference automata 


We show even stronger results for rTA and BDTA: reachability is undecidable and thus 
counter systems of such automata cannot be analyzed with any form of acceleration. 


> Theorem 10. Parameterized reachability for counter systems of loop-free rTA is undecidable. 


Proof. We use rTA to encode two-counter machines 2CM, for which the halting problem is 
undecidable [32]. A command of a 2CM is a triple (from, cmd, to) where from and to are 
labels from the set {1,...,m} for some m, and cmd is one of the operations: inc x, dec x, 
inc y, dec y, zero? x, zero? y. The label m designates the halting command. For the two 
counters we use two shared variables x and y. For each label à we also add a shared variable 
ati, that we use as a Boolean flag to indicate whether the 2CM currently is at label 7. There 
is also a shared variable init, which is used for initialization. 

It remains to encode the control structure of a 2CM (which may contain loops) in a 
threshold automaton without loops. Our rTA has three locations Lo, 01, 42, where Lo is the 
initial one. First, we introduce a special initialization rule from £ to {1 that is guarded 
with init < 1 and increments init. Second, for each command we introduce a rule from 4o 
to 4. For command (i, cmd, j), the rule is guarded with at; > 0A init > 1 A init < 2, and 
e.g., 0 > xA0< x, if the test for zero is needed. The update of the rule contains at;-- and 
at;++ (goto label j from label 4), and the required increment/decrement of a counter as e.g., 
æ++ or y--. Third, the last rule detects that the 2CM halted: it goes from £o to {2 and is 
guarded with atm > 1. 

The number of instances is N(n) = n + 2 for the only parameter n. Thus, n steps of 
the 2CM are modeled by n + 1 transitions of the constructed counter system; the (n + 2)th 
transition may move at least one automaton to the location 2. Hence, the counter system 
simulates arbitrarily many steps of the 2CM. We ask the parameterized reachability question 
of whether the counter system reaches a configuration o with o.#[{] 4 0 (for some value 
of n). A positive answer is given if and only if the 2CM halts; undecidability follows. < 


Now we consider BDTA. Figure 4 shows an example of a BDTA whose counter system has 
unbounded diameter: Every schedule allowed by this threshold automaton is an alternating 
sequence of the transitions (r1,1) and (r2,1). Thus to increase the counter K2 to n, we 
require a schedule of length n, which is an unbounded parameter. This shows that sinlge-rule 
acceleration does not help us to analyze BDTA. In fact, no form of acceleration helps: 


> Theorem 11. Parameterized reachability for counter systems of loop-free BDTA is unde- 
cidable. 


The proof goes along the same lines as the proof of Theorem 10. The only complication 
is to encode a decrement of a shared variable by using increments and bounded differences. 
To this end, for each variable x, we introduce two shared variables zı and z2. The difference 
zı — £2 simulates a counter x. Whenever x has to be decremented, we increment x2, and 
when x has to be incremented, we increment zı. A test x = 0 is simulated as a conjunction 
0O>24,-x%2A0< 41-22. 
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‘4 Positive results: bounding the diameter 


We extend the framework and the proofs of [25] to prove the bounded diameter property 
for certain fragments of UTAs. A key observation in [25] is that if shared variables are only 
increased, then the evaluation of every (affine) threshold guard changes at most once in a 
schedule. This argument obviously applies even if increments occur in loops: 


> Proposition 12 (Monotonicity of affine guards). For an NCTA configuration o, if a transi- 
tion t is applicable to a, then the following holds: 
1. For a lower affine guard y: 
(a) Ifo = 9, then t(o) = y, and (b) if tlo) Ky, then o Ky. 
2. For an upper affine guard y: 
(c) Ifo Ay then t(o) K p, and (d) if t(o) Ey, then o = y. 


4.1 A sufficient condition for diameter boundedness 


Proposition 12 does not apply to unrestricted threshold automata for two reasons: First, 
NCTA only allow shared variables to be incremented, whereas UTA allow both increments 
and decrements. Obviously, an affine threshold guard such as n < x can change its evaluation 
arbitrary many times, if increments and decrements of x are alternated (as parameter n is 
constant in a schedule). Second, even if we restrict updates of shared variables to non-negative 
vectors, guards such as 0 < x — y can change their evaluations arbitrarily often in a single 
schedule (cf. Theorem 11). 

Proposition 12 implies that for every (affine) guard y, when a schedule 7 is applied to a 
configuration ø, schedule 7 can be split into two intervals: 71,4) and 73,11] with the following 
property: Taho) E y iff o H y for 1 <i<k, and mp, (0) E vif r(o) Kv for k < j < |r]. 
In other words, the evaluation of p may only change in the transition from Tj ķ—1](0) to 


Ti1,4)(7). We extend this idea to non-linear guards by requiring the guards to preserve their 
evaluations in a bounded number of intervals. In face of Theorem 11, we thus impose two 
restrictions on UTA: (1) we allow only non-negative updates of shared variables, and (2) we 
allow level functions to change evaluation of the guards a bounded number of times. 
Consider a guard y, a configuration g, and a schedule 7 applicable to a. We say that 7 


is steady with respect to (4,0), if it has the following property: Ta, (0) = ¢ if and only if 
oF ¢ forl<i< |r|. 


> Definition 13 (Bounded steadiness). We say that a guard ọ of a UTA A is bounded-steady 
w.r.t A, if there exists a number N > 0, called the flip bound of p, with the following 
property: 

For every configuration o of the counter system of A and every schedule T = t1,...,tn 
applicable to ø, there is a sequence of indices 0 = io < i < +--+ < in < iy41 =n+4+1 such 
that Ti, :,,,) is steady with respect to y and 71,;,)(0) for 0 < j < N. 


Bounded-steadiness is central in proving the bounded diameter property: 


> Theorem 14 (Bounded diameter criterion). Every canonical UTA A with non-negative 
updates of shared variables satisfies the following: 

If every guard is bounded-steady w.r.t. A, then the diameter of the counter system CS(A) 
is bounded by a constant. 


In the context of TA, constructions are introduced in [25] to remove cycles and reorder 
transitions (to apply acceleration), in order to shorten subschedules in which evaluations of 
guards do not change, i.e., steady subschedules. The results of [25] can be summarized in 
the following lemma. 
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p> Lemma 15. There exists an total order of rules < such that for every schedule T, there 

exists a unique schedule, short(r), with the following properties: 

1. If transition (r,a) appears in short(r), then T contains a transition (r,a’) for some a’. 

2. If transition (r,a) appears before (r', a’) in short(r), then r < r’. 

3. If for a configuration o, an applicable schedule T is steady with respect to all guards and Ø, 
then short(r) is applicable to o and T(o) = short(r)(o). 


One can prove the above lemma independently of the shape of the guards. For the proof 
one only uses that in a steady schedule the evaluation of guards does not change. As a 
result, one can directly apply the proofs from [25] to generalize Lemma 15 to UTA. This 
allows us to replace a steady schedule 7 by short(r), which reaches the same state and whose 
length is bounded by Lemma 15(2), because threshold automata have a fixed number of rules 
and x is a total order. What remains to be proven for Theorem 14 is that every schedule 
of a threshold automaton with bounded-steady guards can be decomposed into a bounded 
number of steady subschedules. 


Proof of Theorem 14. Let @1,...,%m be the bounded-steady guards. Let ø be a configura- 

tion and 7 = t1,...,tn a schedule applicable to it. Since each 4; is bounded-steady it has 

a flip bound N}, for which there exist i/,... thy, with the property that Tọ; ;;_ )} is steady 
k°°"k+1 


with respect to yj and 7, (a) for 0 < k < Nj. We denote by Si the set of critical indices 


rae a 

We denote by S the set Uj", Sj, and by i1,...,% its elements. Additionally, denote 
io = 0 and i41 = n+ 1. The set S partitions 7 into finer subschedules than each S}, that is, 
for every 0 < k < l and for every 1 < j < m there is an index il € S; such that the schedule 
Tir) 18 a subschedule of the steady schedule 7 . Because a subschedule of a steady 


Li] 


int, ) 
schedule is also steady by definition (w.r.t. its ol E and the same guard), 
we can conclude that the schedules 7(;,,:,,,) are steady with respect to all guards y; and 
Tilin] (7)- 

We can therefore apply Lemma 15 to each 7(;, i,,,) and replace it with a shortened 
schedule. By property (2) of Lemma 15 and because < is a total order, the length of the 
shortened schedules is at most |R|. After replacing every 7(,:,,,) with short(r(,:,,,)), 
we obtain a schedule 7’, which is applicable to ø, has the property that 7/(o) = 7(o) and 
Ir’ < ({S|+1)-|R|+|S]. By the definition of S, it holds that |S] < X7 l9] < Ot, Nj. A 


4.2 Two fragments with bounded-steady guards 


Theorem 14 gives us a sufficient condition for a function to be used in a guard so that 
the resulting counter system has a bounded diameter. The condition applies to threshold 
automata with non-negative updates to shared variables. Thus, we can characterize bounded- 
steady guards by the shape of their level functions. 


> Proposition 16. Every canonical UTA A with non-negative updates of shared variables has 
the following property: If a threshold guard has the shape thd(p) œx F(y) for a shared variable 
y ET, a comparison ba € {<,<,>,>}, and a piecewise-monotone function F: Z —R, then 
the guard @ is bounded-steady w.r.t. A. 


> Example 17. Consider piecewise-monotone functions f(x), fo(x) and reals an,...ao,0 ER 
with b > 0. Then, an: £” +... + a1 £ + ao, b”, Ina, and min{ fi (x), fo(x)} are piecewise- 
monotone functions of x € Z. Each of them can be used as F(x) in Proposition 16, and thus 
they produce bounded-steady guards. < 
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As a corollary of Proposition 16 and Theorem 14, the threshold automata with piecewise- 
monotone functions in the guards have the bounded diameter property: 


> Corollary 18. For every PMTA, the diameter of its counter system is bounded. 


Note that the affine threshold guards of [25] have the shape required in Proposition 16, 
and thus are just a special case. 

We generalize Proposition 16 to guards over multiple shared variables. Recall that an m- 
dimensional integer box is a product of m intervals, that is, B = Z™ A [a1, bi] x -+ x [am, bm] 
for some boundaries a1, }1,...,@m,0m € Zoo: 


> Proposition 19. Consider a UTA with non-negative updates of shared variables. A non- 
linear guard thd(p) ba lul(Z), for ba € {<,<,>,>}, is bounded-steady, if: 

For every level C € R, the function domain Z!"! of the level function can be partitioned 
into a finite set of disjoint |T |-dimensional boxes B,,..., By that satisfy {Z € B; | Cm 
lul(Z)} is equal to either B; or Ÿ for 1 <i<k. 


As a result, the following two-variable functions give us bounded-steady guards: 


x+y, x-y, min(fi(x), fo(y)) or max(fi(x), fo(y)) for piecewise-monotone fı and fz 


“5 Relation to flattable counter automata 


Counter automata model infinite-state systems and have acceleration procedures and tools 
for reachability analysis [10, 30, 4]. Threshold automata give rise to accelerated counter 
systems. In this section, we establish a link between these two frameworks. In particular, 
from a threshold automaton A, we construct two kinds of counter automata: CA°(A) is 
a counter automaton that executes a single UTA rule without any built-in acceleration, 
and CA! (A) is a counter automaton that executes one UTA rule several times in one step. 
The automaton CA'(A) corresponds to our counter system CS(A) in Section 2.2. In our 
analysis, single-rule acceleration plays a central role in finding diameter bounds, whereas the 
procedures for counter automata employ more general forms of acceleration. In fact, CA°(A) 
and CA! (A) have the same reachability relation, and any of them can in principle be used as 
the input to the techniques for counter automata. 
We recall the definitions of counter automata from [30], operating on m counters. 


> Definition 20. An m-dimensional counter automaton CA is defined as a tuple 
(Q,T,src,tgt, {G}1er) with the following properties: 

= Q and T are finite, non-empty sets of CA-locations and CA-transitions respectively, 

= src: T — Q and tgt : T > Q are the source and target mappings respectively, and 

= {Gi}4er is a finite family of binary relations on N™ called flow guards. 


The semantics of the counter automaton CA is defined as a transition system (Cca, —ca) 

with the following properties: 

1. The set Cca = Q x NG’ captures CA-configurations, and 

2. the relation —caC Cca X Cca captures CA-steps. CA makes a step from a configuration 
(q, #) € Cca to a configuration (q', Z’) € Cca via a transition t € T — formally written as 
(q, Z) —ca (q', 2’) — if the following holds: 


q = src(t) and q’ = tgt(t) and (Z, 2’) € Gi 
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B Figure 6 A counter automaton for the threshold automaton in Figure 1. 


A sequence (q1, Z1), .-- , (dk, Zk) of CA-configurations is called a CA-path, if (qi, Zi) —ca 
(qi+1, i+1) for 1 < i < k. Then, the reachability relation >é,C NE”! x nil contains all the 
pairs of vectors that are connected with a path for some control locations, that is, Z —#, 2’ 
if and only if there is a CA-path (q1, Z1), -.. , (qk, Zk) with à = #1 and à = Zp. 


A counter automaton without acceleration. Fix an unrestricted threshold automaton 
A=(L,T,T,II,R), and let P be the set of variables LUTUIT. To represent the configurations 
of the UTA counter system, we use vectors 7 = (11,...,x%|p|) € NF, where each element +; 
stores the value of a variable from the set P (there is a bijection). For a vector 7 € IN and 
a set U C P, with z|y, we denote the projection of * on the variables from U. 

A |P|-dimensional counter automaton CA°(A) = (Q,T, src, tgt, {Gi }ier) is constructed 
as follows: 

The automaton has only one CA-location, that is, Q = {qo} for some qo, 

The CA-transitions are identical to the UTA rules, that is, T = R, 

Every transition t € T originates from the location go and ends in qo; formally, src(t) = 

tgt(t) = qo, 

For every rule r € R, the flow relation G, C N IPI xN IPI is the intersection of two relations 

Guard, and Update, that are defined as: 


(@, 2") € Guard, if and only if (žir, fn) À + 
pEr. 


(x, à) € Update, if and only if #’|n = #|n, (1) 


2 |p =ezlptr.d, and T'e = Zle + Irto — Ir from (2) 


Given the threshold automaton in Figure 1, we construct the respective counter automaton 
in Figure 6. Apart from the shared variables and parameters, the counter automaton explicitly 
maintains a counter for each location of UTA, whereas in threshold automata these counters 
are implicit. 


A counter automaton with single-rule acceleration. Given a UTA A, we define its counter 
automaton with single-rule acceleration CA! (A). This automaton is structurally the same as 
CA°(A), except that the flow relation G, for r € R accounts for a non-negative acceleration 
factor a: 


(x, z") € G, if and only if Ja > 0. Vk:0<k< a. (Z + k- r.t, 2) € Guard,, 


z'n = Eln,@ |r = Zr +a: rÜ, and E'lc = zle +a: (Tto _ Ls 
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Discussions. If we ignore the location qo, the counter automaton CA'(A) has the same 
transition relation as the counter system of A; as defined in Section 2.2 or in [25], that 
is, with built-in single-rule acceleration. General acceleration procedures for reachability 
analysis were developed for counter automata [30, 4]. These techniques terminate on flat 
and flattable counter automata. A counter automaton is flat, if its control graph— built of 
locations and transitions— does not contain nested loops [10]. A counter automaton A is 
flattable, if there is a flat counter automaton F with the same reachability relation, that is, 
>% = =>}. The counter automata CA°(A) and CA'(A) are obviously not flat, as can be 
seen from Figure 6, the question is whether they are flattable. 

As can be seen from the definition of CA‘(A), single-rule acceleration has a special 
form: it merges successive occurrences of a rule of CA°(A) into one transition, provided 
that the counter values are sufficiently large. The motivation behind this acceleration is to 
perform transitions of many processes in a distributed system in parallel [25], in contrast to 
compressing sequential steps. 

The bounded diameter property for a threshold automaton A implies flattability of the 
counter automaton CA°(A). It is sufficient to unroll CA°(A) up to the diameter bound and 
add self-loops to model single-rule acceleration: 


> Proposition 21. For every unrestricted threshold automaton A, if the diameter of the 
counter system CS(A) is bounded, then the counter automaton CA°(A) is flattable. 


‘6 Flattability for non-canonical threshold automata 


It is easy to see that the counter systems of non-canonical threshold automata do not have 
bounded diameter, when applying single-rule acceleration. Interestingly, we show that the 
respective counter automata for NCTA are flattable. Hence, they can be thus analyzed with 
general acceleration tools such as FAST [4]. 


Additional definitions. To prove flattability, we adapt a few definitions from [24]. Let G = 
Uner?-®. Then, È = {g € G | g is an upper guard} and ®* = {g € G | g is a lower guard}. 
A contert is a pair (QÈ, QF), where QR C PK and OF C OF. The set Q® keeps track of 
unlocked guards from ®®, and the set QF keeps track of locked guards from F. We usually 
denote a context with Q, and refer to its first and second component by writing QÈ and QF 
respectively. For contexts Qı and Q2, we say that Q1 C Q if and only if Qe U QF C QR U Q5. 

Finally, for a context Q, we define a formula form(Q) that summarizes the constraints 
of the guards that are locked/unlocked in the context: Aycew+¥ À Ayew- 7 for UF = 
OR U (OF \ QF) and YT = (PR \ QF) U QF. We write [form(Q)] to denote the set of vectors 
that satisfy form(Q), that is, Z € [form(Q)] if and only if (z|r, Z|) À form(Q) holds true. 


> Definition 22. For a NCTA A = (£,7,T, 0, R) and a context Q, we define the slice of A 
with context 2 as a threshold automaton Aļo = (£, Z, T, Il, Rlo), where a rule r € R belongs 
to R\o if and only if form(Q) > Agere ¥: 


Overview of the proof. We start with an NCTA. The relation C is a partial order on the 
contexts. We construct a flat counter automaton as a composition of flat counter automata, 
one per context, that are then connected according to the partial order C. Figure 7 sketches 
the construction. In more detail, for each context Q of A we construct the slice. We show 
that when one removes the threshold guards from the slice, its counter automaton becomes 
structurally a BPP-net [16, 18], which are known to be flattable [30]. Thus, there is a 
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B Figure 7 An example of the flattened threshold automaton from Figure 1. The edges connecting 
the gray blocks connect all the states inside the blocks. 


flattened counter automaton F(Q) for Q. However, as F(Q) does not have threshold guards, 
it allows transitions to leave the context Q earlier than in the original counter system. Thus, 
we add additional constraints to F(Q) to keep the transitions in the context, and form a “flat 
slice”. Then, we combine flat slices for each context according to the partial order between 
the contexts, and obtain a flat counter automaton whose reachability relation is the same as 
of CA°(A). 


> Proposition 23. For every non-canonical threshold automaton A and context Q, there is 
a flat counter automaton Flat(Ala) that has the same reachability relation when restricted 
to the CA-configurations that match the context, that is, +a lq) N [form(Q)]? equals to 


>t (a) N Lform(Q)]?. 


Assembling the flat counter automata for the slices. Fix a non-canonical threshold 
automaton A = (£,7,T,1I,R). Proposition 23 allows us to flatten a single slice. To 
flatten CA°(A), we flatten slices and connect them with context changing transitions. 

As a first step, we enumerate all contexts Q,...,Qx, where K = |®® x F|. For each 
context i € {1,..., K}, we apply Proposition 23, to construct a flat counter automaton 
Flat(i) = (Qi, Ti, srci, tgt;, {Gi} ier, ). We assume that the sets Q1,...,Qx and T),...,TK 
are all disjoint. We use Flat(1),..., Flat(K) to construct two sets of counter automata: 

1. An automaton FlatSlice(i) produces paths of CA°(A) in the context ;. Formally, 

FlatSlice(i) = (Qi, Ti, srci, tgt;, {GN [form(Q)]?her.). 

2. An automaton Branch(i,j), for 1 < i,j < K such that Q; E 0; and i Æ j, produces the 
context-changing transitions from FlatSlice(i) to FlatSlice(j). Formally, 


Branch(i, j) = (Qi U Qj, Tijs SCi j, tt; {GP her.) 


where the components of Branch(i, j) are defined as follows for t € T;: 
There is a transition for each ith slice transition and jth slice state: T; ; = T; x Qj, 
The mappings are src;,;((t,q)) = srci(t) and tgt; ;((t,q)) = q for q € Qj, and 
We restrict the guards to the two contexts: Gi? = Gin ([form(Q;)] x [form(Q,)]). 


A flat version of CA°(A) is the union of all flat slices and branches: 


Flattened(A) = |) FlatSlice(i)U |) Branch(i, j) for E = {(i, j) | Q: E 9j, i # j} (3) 
1<i<K (i, j)EE 
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B Figure 8 An unrestricted TA (left) and an equivalent threshold automaton (right). 


We define the union AU B as usual: The states, transitions, and flows of AU B are the 
unions of the A’s and B’s states, transitions, and flows respectively. The source and target 
mappings are identical to the A’s and B’s mappings on their domains. 


> Theorem 24. For every non-canonical threshold automaton À, its flattened version has 
the same reachability relation: > Flattened(A) = > Ca0( a): 


EX Conclusions 


Verification of infinite-state systems and parameterized concurrent systems is a lively research 
area, e.g., see some recent results [19, 13, 1, 11, 17, 12, 31, 8, 2]. There are many different 
modeling frameworks, and it is not easy to understand relations between them. However, 
this understanding is of paramount importance for reusing existing tools. In this paper, on 
the one hand, we give reachability results for new classes of systems, and on the other hand, 
establish the relation of the model in [25, 21] to counter automata [10, 30]. We clarify the 
relation between the single rule acceleration introduced in [25] to acceleration in (flattable) 
counter automata [4, 30]. The single-rule acceleration in [25] is very simple compared to 
the general acceleration techniques [30, 4]. Still, it was demonstrated to be effective in 
parameterized verification of fault-tolerant distributed algorithms [22, 21]. 

The benefits of our extended framework are two-fold. On one hand, we can use our 
results to optimize threshold automata. Figure 8 shows an unrestricted threshold automaton 
that uses minimum and maximum. This UTA can be expressed as an equivalent threshold 
automaton by introducing more rules and guards (see Figure 8), which makes it harder to 
reason about. On the other hand, our framework permits some new guards, which have no 
corresponding encoding in threshold automata. For instance, a threshold x < y/n/ logn in [3] 
gives us such an example (though they are using the synchronous model of computation). 

Some open questions still remain. Regarding application to distributed algorithms, we 
observe that in the pseudo code of several distributed consensus algorithms, processes pick 
the “most often received value” from a set of received values [5, 9]. A shared variable 
encoding- such as the one in [26]— maintains the number of messages with value 0 in a 
shared variable zo, and the number of messages with value 1 in a shared variable zı. The 
pseudo code statement about the “most often received value” needs a bounded difference 
guard “x; — zo > 0”, which leads to undecidability as we show. This calls for further insights 
on modeling of such algorithms. 

While we focused on reachability in this paper, as future work, we plan to lift the results 
of this paper to safety and liveness, following the ideas of [22]. 
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